Source code fingers security services for Regin

Security firm Kaspersky claims to have evidence that the aggressive Regin malware was created by the US National Security Agency under the internal codename QWERTY.

Unveiled in November last year, Regin targets Windows machines to alow remote access to its files and operations. The malware is known for being extremely tricky, boasting of features including the use of an encrypted virtual file system using the uncommon RC5 cipher. The result: a highly successful backdoor malware, which has been reported by The Intercept to have been exploited by security services including the UK Government Communications Headquarters (GCHQ) to conduct surveillance on targets including the Begian telecoms company Belgacom.

Making use of such malware is one thing, but additional research by Kaspersky has come to the conclusion that security agencies' involvement with Regin goes deeper. 'Our analysis of the QWERTY malware published by Der Spiegel indicates it is a plugin designed to work part of the Regin platform,' the company explained in reference to a document (PDF warning) published by the German newspaper with source code for the 'Five Eyes' QWERTY malware. 'The QWERTY keylogger doesn't function as a stand-alone module, it relies on kernel hooking functions which are provided by the Regin module 50225. Considering the extreme complexity of the Regin platform and little chance that it can be duplicated by somebody without having access to its sourcecodes, we conclude the QWERTY malware developers and the Regin developers are the same or working together.'

To repeat for clarity: Kaspersky has concluded that not only are national security agencies using the Regin malware to conduct surveillance by infecting thousands of systems world-wide, it is likely that the NSA or a related agency specifically wrote Regin for that purpose - ignoring the fact that it would, as malware does, spread outside their control and infect systems throughout the world.

'The new analysis provides clear proof that Regin is in fact the cyber-attack platform belonging to the Five Eyes alliance, which include the US, Britain, Canada, Australia and New Zealand,' Der Spiegel concluded.